hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5911 from atorralba/atorralba/promote-missing-jwt-signature-check

Browse Source 
Java: Promote Missing JWT signature check query from experimental
This commit is contained in:
Tony Torralba
2021-08-05 09:43:03 +02:00
committed by GitHub
parent 1932f604dc 5f9f857c34
commit 0356ed7f9e
35 changed files with 288 additions and 278 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected Normal file
View File

141
java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java Normal file
View File

@@ -0,0 +1,141 @@
import io.jsonwebtoken.Header;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtHandlerAdapter;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.impl.DefaultJwtParser;
import io.jsonwebtoken.impl.DefaultJwtParserBuilder;
public class MissingJWTSignatureCheckTest {
private JwtParser getASignedParser() {
return Jwts.parser().setSigningKey("someBase64EncodedKey");
}
private JwtParser getASignedParserFromParserBuilder() {
return Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build();
}
private JwtParser getASignedNewParser() {
return new DefaultJwtParser().setSigningKey("someBase64EncodedKey");
}
private void callSignedParsers() {
JwtParser parser1 = getASignedParser();
badJwtOnParserBuilder(parser1, "");
badJwtHandlerOnParserBuilder(parser1, "");
goodJwtOnParserBuilder(parser1, "");
goodJwtHandler(parser1, "");
JwtParser parser2 = getASignedParserFromParserBuilder();
badJwtOnParserBuilder(parser2, "");
badJwtHandlerOnParserBuilder(parser2, "");
goodJwtOnParserBuilder(parser2, "");
goodJwtHandler(parser2, "");
JwtParser parser3 = getASignedNewParser();
badJwtOnParserBuilder(parser3, "");
badJwtHandlerOnParserBuilder(parser3, "");
goodJwtOnParserBuilder(parser3, "");
goodJwtHandler(parser3, "");
}
private JwtParser getAnUnsignedParser() {
return Jwts.parser();
}
private JwtParser getAnUnsignedParserFromParserBuilder() {
return Jwts.parserBuilder().build();
}
private JwtParser getAnUnsignedNewParser() {
return new DefaultJwtParser();
}
private void callUnsignedParsers() {
JwtParser parser1 = getAnUnsignedParser();
badJwtOnParserBuilder(parser1, "");
badJwtHandlerOnParserBuilder(parser1, "");
goodJwtOnParserBuilder(parser1, "");
goodJwtHandler(parser1, "");
JwtParser parser2 = getAnUnsignedParserFromParserBuilder();
badJwtOnParserBuilder(parser2, "");
badJwtHandlerOnParserBuilder(parser2, "");
goodJwtOnParserBuilder(parser2, "");
goodJwtHandler(parser2, "");
JwtParser parser3 = getAnUnsignedNewParser();
badJwtOnParserBuilder(parser3, "");
badJwtHandlerOnParserBuilder(parser3, "");
goodJwtOnParserBuilder(parser3, "");
goodJwtHandler(parser3, "");
}
private void signParserAfterParseCall() {
JwtParser parser = getAnUnsignedParser();
parser.parse(""); // Safe
parser.setSigningKey("someBase64EncodedKey");
}
private void badJwtOnParserBuilder(JwtParser parser, String token) {
parser.parse(token); // $hasMissingJwtSignatureCheck
}
private void badJwtHandlerOnParserBuilder(JwtParser parser, String token) {
parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // $hasMissingJwtSignatureCheck
@Override
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
return jwt;
}
});
}
private void goodJwtOnParserBuilder(JwtParser parser, String token) {
parser.parseClaimsJws(token) // Safe
.getBody();
}
private void goodJwtHandler(JwtParser parser, String token) {
parser.parse(token, new JwtHandlerAdapter<Jws<String>>() { // Safe
@Override
public Jws<String> onPlaintextJws(Jws<String> jws) {
return jws;
}
});
}
private void badJwtOnParserBuilder(String token) {
Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
}
private void badJwtOnDefaultParserBuilder(String token) {
new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
}
private void badJwtHandlerOnParser(String token) {
Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $hasMissingJwtSignatureCheck
new JwtHandlerAdapter<Jwt<Header, String>>() {
@Override
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
return jwt;
}
});
}
private void goodJwtOnParser(String token) {
Jwts.parser().setSigningKey("someBase64EncodedKey").parseClaimsJws(token) // Safe
.getBody();
}
private void goodJwtHandlerOnParserBuilder(String token) {
Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token, // Safe
new JwtHandlerAdapter<Jws<String>>() {
@Override
public Jws<String> onPlaintextJws(Jws<String> jws) {
return jws;
}
});
}
}

20
java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql Normal file
View File

@@ -0,0 +1,20 @@
import java
import semmle.code.java.security.MissingJWTSignatureCheckQuery
import TestUtilities.InlineExpectationsTest
class HasMissingJwtSignatureCheckTest extends InlineExpectationsTest {
HasMissingJwtSignatureCheckTest() { this = "HasMissingJwtSignatureCheckTest" }
override string getARelevantTag() { result = "hasMissingJwtSignatureCheck" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasMissingJwtSignatureCheck" and
exists(DataFlow::Node source, DataFlow::Node sink, MissingJwtSignatureCheckConf conf |
conf.hasFlow(source, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

1
java/ql/test/query-tests/security/CWE-347/options Normal file
View File

@@ -0,0 +1 @@
semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jwtk-jjwt-0.11.2